Hi list, I've got a root-server at Puretec running SuSE 7.2 and I'm concerned about the security of the machine due to the "rough" environment in that rack... I thought about prevention of ARP-Poisoning and came up with the following ideas: 1) Static entry in the ARP-table (arp -s) - if Puretec changes the NIC of the router, I#m offline - not good! 2) Accepting ARP-packets from the router only (iptables filters on MAC) - same problem as in 1) 3) Reading the arp-table via cronjob and comparing to the original value, sending a warning email, if the entry changes - the wail would go to the attacking machine, would it come through? 4) Using arpwatch would tell me about other root-servers contacting mine directly which should never be neccessary, short of a curios user like me - lots of false alarms to be expected 5)Taking the response-time of a ping to the router. The value should increase considerably going through a man in the middle - same problem as in 3), when the problem is detected, the attack was already successful. 6) Reading all MACs of all servers in the rack and comparing the entry for the router with them. If there's a match it looks like an attack, so I could reset the entry to the former value. If there's no match the entry should be accepted. Methods 1 and 2 prevent an ARP-Poisoning at the cost of turning the link down if Puretec (legally) changes the router! Methods 3, 4 and 5 only indicate a successful attack, but what to do now? I can't login to my machine without compromising the password. I could use One Time Passwords of course but I doubt I'll be able to convince my POP-users to that procedure too... Method 6 would give a opportunity to react on an attack shortly after it happened. Not very secure but at least something. I suppose the switch is the right place to prohibit ARP-Poisoning but that's the realm of Puretec, and as to their security-awareness I might tell you after the vendor reaction time ;-) I googled a bit and foung quite a lot of descriptions but no real solution to the problem. So my question: Is there any better solution to this problem? Any input is welcome - have a lot of fun Roland Hilkenbach